From 06876832badf70a9b6414500a6f7389bc6855fe2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 14:46:53 +0200
Subject: [PATCH 01/17] auth/gensec: gensec_[un]seal_packet() should only work
 with GENSEC_FEATURE_DCE_STYLE

gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if
GENSEC_FEATURE_SEAL is negotiated.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3542d33314e32279340f07f995c1dcbd16106352)
---
 auth/gensec/gensec.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 8b5c02d..01cceaf 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -41,9 +41,15 @@ _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
 	if (!gensec_security->ops->unseal_packet) {
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	return gensec_security->ops->unseal_packet(gensec_security,
 						   data, length,
@@ -81,6 +87,9 @@ _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
 }
@@ -109,6 +118,11 @@ _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		return 0;
 	}
+	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+			return 0;
+		}
+	}
 
 	return gensec_security->ops->sig_size(gensec_security, data_size);
 }
-- 
1.9.1


From c472d68a7cd90885fc5265805a0a84827a3c30e4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 20 Jun 2015 16:19:31 +0200
Subject: [PATCH 02/17] auth/gensec: make sure gensec_start_mech_by_authtype()
 resets SIGN/SEAL before starting

We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 756508c8c37b0370301a096e35abc171fe08d31c)
---
 auth/gensec/gensec_start.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 9910f1a..b1bc1b9 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -716,6 +716,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 	gensec_security->dcerpc_auth_level = auth_level;
+	/*
+	 * We need to reset sign/seal in order to reset it.
+	 * We may got some default features inherited by the credentials
+	 */
+	gensec_security->want_features &= ~GENSEC_FEATURE_SIGN;
+	gensec_security->want_features &= ~GENSEC_FEATURE_SEAL;
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
 	if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
-- 
1.9.1


From edcd2854c5eea1f947de1ec5ab28e46a72159ffb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 16:48:48 +0200
Subject: [PATCH 03/17] dcerpc.idl: add DCERPC_AUTH_PAD_ALIGNMENT (=16)

Windows pads the payload aligned to 16 bytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2cb3ec5856ab5b7edad8ffd67a5d0f927c161138)
---
 librpc/idl/dcerpc.idl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 4dad126..67f4b9d 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -259,6 +259,7 @@ interface dcerpc
 	} dcerpc_auth;
 
 	const uint8 DCERPC_AUTH_TRAILER_LENGTH = 8;
+	const uint8 DCERPC_AUTH_PAD_ALIGNMENT = 16;
 
 	typedef [public] struct {
 		[value(0)]	      uint32    _pad;
-- 
1.9.1


From 4c6978756525c72f2a3e1afa31670b9d65122a7d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 20 Jun 2015 17:43:47 +0200
Subject: [PATCH 04/17] librpc/rpc: add DCERPC_AUTH_PAD_LENGTH(stub_length)
 helper macro

This calculates the required padding DCERPC_AUTH_PAD_ALIGNMENT
and the stub_length.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f1e3ad269ca8f76876afd8e3837c9c9b48688941)
---
 librpc/rpc/rpc_common.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index ce7e6ea..45d3691 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -370,4 +370,9 @@ bool dcerpc_sec_verification_trailer_check(
 		const struct dcerpc_sec_vt_pcontext *pcontext,
 		const struct dcerpc_sec_vt_header2 *header2);
 
+#define DCERPC_AUTH_PAD_LENGTH(stub_length) (\
+	(((stub_length) % DCERPC_AUTH_PAD_ALIGNMENT) > 0)?\
+	(DCERPC_AUTH_PAD_ALIGNMENT - (stub_length) % DCERPC_AUTH_PAD_ALIGNMENT):\
+	0)
+
 #endif /* __DEFAULT_LIBRPC_RPCCOMMON_H__ */
-- 
1.9.1


From c56c1637986ccca3a6ed1b459615d1abea0aa0e0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 16:55:39 +0200
Subject: [PATCH 05/17] s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT
 padding bytes in dcerpc_add_auth_footer()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3e6e9e3acd17531148457be59a32727fb87ae43d)
---
 source3/librpc/rpc/dcerpc_helpers.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index a9b24c8..5f2b94c 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -422,7 +422,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
 				size_t pad_len, DATA_BLOB *rpc_out)
 {
 	struct gensec_security *gensec_security;
-	char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
+	const char pad[DCERPC_AUTH_PAD_ALIGNMENT] = { 0, };
 	DATA_BLOB auth_info;
 	DATA_BLOB auth_blob;
 	NTSTATUS status;
@@ -432,6 +432,8 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
 	}
 
 	if (pad_len) {
+		SMB_ASSERT(pad_len <= ARRAY_SIZE(pad));
+
 		/* Copy the sign/seal padding data. */
 		if (!data_blob_append(NULL, rpc_out, pad, pad_len)) {
 			return NT_STATUS_NO_MEMORY;
-- 
1.9.1


From cfb3c97e2cf27c57c0c23ef81b93787f94597ef9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 15:52:11 +0200
Subject: [PATCH 06/17] s3:librpc/rpc: fix padding calculation in
 dcerpc_guess_sizes()

The padding needs to be relative to the payload start not to the pdu start.
We also need align the padding to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b2e042ad9652e2dfb39640de43e09030efc41d3d)
---
 source3/librpc/rpc/dcerpc.h         |  2 +-
 source3/librpc/rpc/dcerpc_helpers.c | 22 +++++++++-------------
 source3/rpc_client/cli_pipe.c       |  1 -
 source3/rpc_server/srv_pipe.c       |  1 -
 4 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index 42429a1..e7d66b7 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -75,7 +75,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
 				 bool bigendian);
 NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
 			    size_t header_len, size_t data_left,
-			    size_t max_xmit_frag, size_t pad_alignment,
+			    size_t max_xmit_frag,
 			    size_t *data_to_send, size_t *frag_len,
 			    size_t *auth_len, size_t *pad_len);
 NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 5f2b94c..1193baa 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -225,7 +225,6 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
 * @param header_len	The length of the packet header
 * @param data_left	The data left in the send buffer
 * @param max_xmit_frag	The max fragment size.
-* @param pad_alignment	The NDR padding size.
 * @param data_to_send	[out] The max data we will send in the pdu
 * @param frag_len	[out] The total length of the fragment
 * @param auth_len	[out] The length of the auth trailer
@@ -235,7 +234,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
 */
 NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
 			    size_t header_len, size_t data_left,
-			    size_t max_xmit_frag, size_t pad_alignment,
+			    size_t max_xmit_frag,
 			    size_t *data_to_send, size_t *frag_len,
 			    size_t *auth_len, size_t *pad_len)
 {
@@ -277,26 +276,23 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
 	case DCERPC_AUTH_TYPE_KRB5:
 	case DCERPC_AUTH_TYPE_SCHANNEL:
 		gensec_security = auth->auth_ctx;
-		*auth_len = gensec_sig_size(gensec_security, max_len);
+		mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT);
+		*auth_len = gensec_sig_size(gensec_security, max_len - mod_len);
+		if (*auth_len == 0) {
+			return NT_STATUS_INTERNAL_ERROR;
+		}
 		break;
 	default:
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
 	max_len -= *auth_len;
+	mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT);
+	max_len -= mod_len;
 
 	*data_to_send = MIN(max_len, data_left);
 
-	mod_len = (header_len + *data_to_send) % pad_alignment;
-	if (mod_len) {
-		*pad_len = pad_alignment - mod_len;
-	} else {
-		*pad_len = 0;
-	}
-
-	if (*data_to_send + *pad_len > max_len) {
-		*data_to_send -= pad_alignment;
-	}
+	*pad_len = DCERPC_AUTH_PAD_LENGTH(*data_to_send);
 
 	*frag_len = header_len + *data_to_send + *pad_len
 			+ DCERPC_AUTH_TRAILER_LENGTH + *auth_len;
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index dc07495..652a773 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1398,7 +1398,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
 	status = dcerpc_guess_sizes(state->cli->auth,
 				    DCERPC_REQUEST_LENGTH, total_left,
 				    state->cli->max_xmit_frag,
-				    CLIENT_NDR_PADDING_SIZE,
 				    &total_thistime,
 				    &frag_len, &auth_len, &pad_len);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index fecbae2..cc931b6 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -143,7 +143,6 @@ static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
 				    DCERPC_RESPONSE_LENGTH,
 				    data_left,
 				    RPC_MAX_PDU_FRAG_LEN,
-				    SERVER_NDR_PADDING_SIZE,
 				    &data_to_send, &frag_len,
 				    &auth_len, &pad_len);
 	if (!NT_STATUS_IS_OK(status)) {
-- 
1.9.1


From f3637d4d506f57192168de22c8bc5a2d8eaa385c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 22:09:57 +0200
Subject: [PATCH 07/17] s3:rpc_server: remove pad handling from
 api_pipe_alter_context()

This is not needed and windows doesn't use it.
The padding is for the payload in request and response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a6a6795826954eef6763a39b129a4db578edca01)
---
 source3/rpc_server/srv_pipe.c | 27 ++-------------------------
 1 file changed, 2 insertions(+), 25 deletions(-)

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index cc931b6..77200f8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -943,7 +943,6 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 	struct dcerpc_ack_ctx bind_ack_ctx;
 	DATA_BLOB auth_resp = data_blob_null;
 	DATA_BLOB auth_blob = data_blob_null;
-	int pad_len = 0;
 	struct gensec_security *gensec_security;
 
 	DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
@@ -1080,19 +1079,10 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 	}
 
 	if (auth_resp.length) {
-
-		/* Work out any padding needed before the auth footer. */
-		pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
-		if (pad_len) {
-			pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
-			DEBUG(10, ("auth pad_len = %u\n",
-				   (unsigned int)pad_len));
-		}
-
 		status = dcerpc_push_dcerpc_auth(pkt,
 						 auth_info.auth_type,
 						 auth_info.auth_level,
-						 pad_len,
+						 0, /* pad_len */
 						 1, /* auth_context_id */
 						 &auth_resp,
 						 &auth_blob);
@@ -1106,22 +1096,9 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 	 * the dcerpc header */
 	dcerpc_set_frag_length(&p->out_data.frag,
 				p->out_data.frag.length +
-					pad_len + auth_blob.length);
+				auth_blob.length);
 
 	if (auth_resp.length) {
-		if (pad_len) {
-			char pad[SERVER_NDR_PADDING_SIZE];
-			memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
-			if (!data_blob_append(p->mem_ctx,
-						&p->out_data.frag,
-						pad, pad_len)) {
-				DEBUG(0, ("api_pipe_bind_req: failed to add "
-					  "%u bytes of pad data.\n",
-					  (unsigned int)pad_len));
-				goto err_exit;
-			}
-		}
-
 		if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
 					auth_blob.data, auth_blob.length)) {
 			DEBUG(0, ("Append of auth info failed.\n"));
-- 
1.9.1


From 8db6548acee8b1d689b0f3769345d974f0b07b78 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 22:35:44 +0200
Subject: [PATCH 08/17] s4:librpc/rpc: let dcerpc_ship_next_request() use
 DCERPC_AUTH_PAD_ALIGNMENT define

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ef801bae95403e96042f5d8c87085bce21436013)
---
 source4/librpc/rpc/dcerpc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index be9a44c..3f8189d 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -1688,7 +1688,7 @@ static void dcerpc_ship_next_request(struct dcecli_connection *c)
 			chunk_size -= sig_size;
 		}
 	}
-	chunk_size -= (chunk_size % 16);
+	chunk_size -= (chunk_size % DCERPC_AUTH_PAD_ALIGNMENT);
 
 	pkt.ptype = DCERPC_PKT_REQUEST;
 	pkt.call_id = req->call_id;
-- 
1.9.1


From 7b8c81b9d768d6948d3e9807ba56271e0577ae10 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 22:35:44 +0200
Subject: [PATCH 09/17] s4:librpc/rpc: let dcerpc_ship_next_request() use a
 sig_size for a padded payload

The sig_size could differ depending on the aligment/padding.
So should use the same alignment as we use for the payload.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fc249d542fcb8d043ae72eb7963d3a85eb79253a)
---
 source4/librpc/rpc/dcerpc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 3f8189d..7194074 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -1681,8 +1681,13 @@ static void dcerpc_ship_next_request(struct dcecli_connection *c)
 	chunk_size -= DCERPC_REQUEST_LENGTH;
 	if (c->security_state.auth_info &&
 	    c->security_state.generic_state) {
+		size_t max_payload = chunk_size;
+
+		max_payload -= DCERPC_AUTH_TRAILER_LENGTH;
+		max_payload -= (max_payload % DCERPC_AUTH_PAD_ALIGNMENT);
+
 		sig_size = gensec_sig_size(c->security_state.generic_state,
-					   p->conn->srv_max_recv_frag);
+					   max_payload);
 		if (sig_size) {
 			chunk_size -= DCERPC_AUTH_TRAILER_LENGTH;
 			chunk_size -= sig_size;
-- 
1.9.1


From 839c961cb556b90711d59539194121ffcb150a6a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 20 Jun 2015 17:47:14 +0200
Subject: [PATCH 10/17] s4:librpc/rpc: let ncacn_push_request_sign() handle
 sig_size == 0 with auth_info as internal error

Don't send plaintext on the wire because of an internal error...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 48f2c383e1d7f52114223cd2a54857426bf64025)
---
 source4/librpc/rpc/dcerpc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 7194074..f1c6d47 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -832,13 +832,16 @@ static NTSTATUS ncacn_push_request_sign(struct dcecli_connection *c,
 	size_t hdr_size = DCERPC_REQUEST_LENGTH;
 
 	/* non-signed packets are simpler */
-	if (sig_size == 0) {
+	if (c->security_state.auth_info == NULL) {
 		return ncacn_push_auth(blob, mem_ctx, pkt, NULL);
 	}
 
 	switch (c->security_state.auth_info->auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
+		if (sig_size == 0) {
+			return NT_STATUS_INTERNAL_ERROR;
+		}
 		break;
 
 	case DCERPC_AUTH_LEVEL_CONNECT:
-- 
1.9.1


From 726ab477eefa8ff9479f0eecac70376d9b9e96db Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 20 Jun 2015 17:49:02 +0200
Subject: [PATCH 11/17] s4:librpc/rpc: fix padding caclucation in
 ncacn_push_request_sign()

This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour
so that we will use no padding if the stub_length is already aligned
to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 114c52e73ed9e0adeac8ad1bc1dc014f3c10f4d6)
---
 source4/librpc/rpc/dcerpc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index f1c6d47..6e3410b 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -884,7 +884,7 @@ static NTSTATUS ncacn_push_request_sign(struct dcecli_connection *c,
 	   whole packet, whereas w2k8 wants it relative to the start
 	   of the stub */
 	c->security_state.auth_info->auth_pad_length =
-		(16 - (pkt->u.request.stub_and_verifier.length & 15)) & 15;
+		DCERPC_AUTH_PAD_LENGTH(pkt->u.request.stub_and_verifier.length);
 	ndr_err = ndr_push_zero(ndr, c->security_state.auth_info->auth_pad_length);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		return ndr_map_error2ntstatus(ndr_err);
-- 
1.9.1


From dc6090a75d522e4ffd8031c70f81b6664873d0d2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 22:35:44 +0200
Subject: [PATCH 12/17] s4:rpc_server: let dcesrv_reply() use
 DCERPC_AUTH_PAD_ALIGNMENT define

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3fbdb255e3ac7ad5261c5fa3836e4a38a0d59221)
---
 source4/rpc_server/common/reply.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/rpc_server/common/reply.c b/source4/rpc_server/common/reply.c
index 92bd552..42830ef 100644
--- a/source4/rpc_server/common/reply.c
+++ b/source4/rpc_server/common/reply.c
@@ -194,7 +194,7 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
 			chunk_size -= sig_size;
 		}
 	}
-	chunk_size -= (chunk_size % 16);
+	chunk_size -= (chunk_size % DCERPC_AUTH_PAD_ALIGNMENT);
 
 	do {
 		uint32_t length;
-- 
1.9.1


From d31a0ee2413f95f878d674d44a7581510fd1d4c6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 22:35:44 +0200
Subject: [PATCH 13/17] s4:rpc_server: let dcesrv_reply() use a sig_size for a
 padded payload

The sig_size could differ depending on the aligment/padding.
So should use the same alignment as we use for the payload.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 16f3837e026e4cae135bbdddf09b44a02af25b05)
---
 source4/rpc_server/common/reply.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/source4/rpc_server/common/reply.c b/source4/rpc_server/common/reply.c
index 42830ef..007b680 100644
--- a/source4/rpc_server/common/reply.c
+++ b/source4/rpc_server/common/reply.c
@@ -187,8 +187,13 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
 	chunk_size -= DCERPC_REQUEST_LENGTH;
 	if (call->conn->auth_state.auth_info &&
 	    call->conn->auth_state.gensec_security) {
+		size_t max_payload = chunk_size;
+
+		max_payload -= DCERPC_AUTH_TRAILER_LENGTH;
+		max_payload -= (max_payload % DCERPC_AUTH_PAD_ALIGNMENT);
+
 		sig_size = gensec_sig_size(call->conn->auth_state.gensec_security,
-					   call->conn->cli_max_recv_frag);
+					   max_payload);
 		if (sig_size) {
 			chunk_size -= DCERPC_AUTH_TRAILER_LENGTH;
 			chunk_size -= sig_size;
-- 
1.9.1


From 5045c82d29e27e0c16a44d6a3cc39775ab52d198 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 20 Jun 2015 17:47:14 +0200
Subject: [PATCH 14/17] s4:rpc_server: let dcesrv_auth_response() handle
 sig_size == 0 with auth_info as error

Don't send plaintext on the wire because of an internal error...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1bf7ab49b4459e81ab2b82d9668b3d7cb76372f4)
---
 source4/rpc_server/dcesrv_auth.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index d3c317b..63e0566 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -428,7 +428,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
 	DATA_BLOB creds2;
 
 	/* non-signed packets are simple */
-	if (sig_size == 0) {
+	if (dce_conn->auth_state.auth_info == NULL) {
 		status = ncacn_push_auth(blob, call, pkt, NULL);
 		return NT_STATUS_IS_OK(status);
 	}
@@ -436,6 +436,10 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
 	switch (dce_conn->auth_state.auth_info->auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
+		if (sig_size == 0) {
+			return false;
+		}
+
 		break;
 
 	case DCERPC_AUTH_LEVEL_CONNECT:
-- 
1.9.1


From fbef6c6632e76de4b2528249069e1a0d61e86496 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 20 Jun 2015 17:49:02 +0200
Subject: [PATCH 15/17] s4:rpc_server: fix padding caclucation in
 dcesrv_auth_response()

This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour
so that we will use no padding if the stub_length is already aligned
to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 69c1b4b7c10dd5fd9cacaa3a76c47bc854ee3fed)
---
 source4/rpc_server/dcesrv_auth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 63e0566..51f2995 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -478,7 +478,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
 	   whole packet, whereas w2k8 wants it relative to the start
 	   of the stub */
 	dce_conn->auth_state.auth_info->auth_pad_length =
-		(16 - (pkt->u.response.stub_and_verifier.length & 15)) & 15;
+		DCERPC_AUTH_PAD_LENGTH(pkt->u.response.stub_and_verifier.length);
 	ndr_err = ndr_push_zero(ndr,
 				dce_conn->auth_state.auth_info->auth_pad_length);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-- 
1.9.1


From 5fa7b42be3b98b0313059520e39b91dda24e83bd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 00:35:29 +0200
Subject: [PATCH 16/17] s4:selftest: run rpc.echo tests also with krb5
 krb5,sign krb5,seal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5b917fd6226952a1f792d1ad921d2ae54ab6ab42)
---
 source4/selftest/tests.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index b223e6e..112bf8d 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -187,7 +187,7 @@ for env in ["dc", "fl2000dc", "fl2003dc", "fl2008r2dc", "plugin_s4_dc"]:
         plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" % (transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s" % (transport, ))
 
         # Echo tests test bulk Kerberos encryption of DCE/RPC
-        for bindoptions in ["connect", "spnego", "spnego,sign", "spnego,seal"] + validate_list + ["padcheck", "bigendian", "bigendian,seal"]:
+        for bindoptions in ["connect", "krb5", "krb5,sign", "krb5,seal", "spnego", "spnego,sign", "spnego,seal"] + validate_list + ["padcheck", "bigendian", "bigendian,seal"]:
             echooptions = "--option=socket:testnonblock=True --option=torture:quick=yes -k yes"
             plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[%s]" % (transport, bindoptions), echooptions, '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s with %s and %s" % (transport, bindoptions, echooptions))
     plansmbtorture4testsuite("net.api.become.dc", env, '$SERVER[%s] -U$USERNAME%%$PASSWORD -W$DOMAIN' % validate)
-- 
1.9.1


From 5190465aa7fcd816fb7bc6f890e9b949af42b646 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 23 Jun 2015 10:27:27 +0200
Subject: [PATCH 17/17] s4:selftest: also run rpc.winreg with kerberos and all
 possible auth options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 23 17:31:08 CEST 2015 on sn-devel-104

(cherry picked from commit 6dd117b21ef06da68af67051f2822f71193d193a)
---
 source4/selftest/tests.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 112bf8d..a0ad7ab 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -183,6 +183,13 @@ for env in ["dc", "fl2000dc", "fl2003dc", "fl2008r2dc", "plugin_s4_dc"]:
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport)
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport)
+
+    # Winreg tests test bulk Kerberos encryption of DCE/RPC
+    # We test rpc.winreg here too, because the winreg interface if
+    # handled by the source3/rpc_server code.
+    for bindoptions in ["connect", "krb5", "krb5,sign", "krb5,seal", "spnego", "spnego,sign", "spnego,seal"]:
+        plansmbtorture4testsuite('rpc.winreg', env, ["%s:$SERVER[%s]" % (transport, bindoptions), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.winreg on %s with %s" % (transport, bindoptions))
+
     for transport in transports:
         plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" % (transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s" % (transport, ))
 
-- 
1.9.1